The attachment is a compressed file, aptly named photos.zip, which contains the file photos.jpg.exe. Default settings in Windows will cause this filename to appear as photos.jpg. To ensure you are not victimized by this double extension ruse, be sure to enable file extension viewing. Of course, instead of a harmless jpg, the file is really a malicious executable. Opening the file will cause the system to become infected and, in turn, to spread that infection to others.
The email composed by the Mimail.C appears as follows:
- Re[2]: our private photos (several blank spaces followed by random letters)
Hello Dear!
Finaly i've found possibility to right u, my lovely girl :)
All our photos which i've made at the beach (even when u're without ur bh:))
photos are great! This evening i'll come and we'll make the best SEX :)
Right now enjoy the photos.
Kiss, James.
(followed by the same random characters found in the email subject)
Symptoms of infection
Mimail.C creates four files in the Windows directory:
- EML.TMP - contains email addresses harvested from infected machine
- EXE.TMP - copy of Mimail.C worm
- NETWATCH.EXE - installed copy of Mimail.C worm
- ZIP.TMP - ZIP archive of Mimail.C
Mimail.C edits the following key in the system Registry to load NETWATCH.EXE on system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
is edited to add:
"NetWatch32" = C:\%windir%\NETWATCH.EXE
Mimail.C then mass-mails itelf to others, using any email addresses found on the infected system. Mimail.C searches the entire hard drive for email addresses, excluding the following file types: AVI, BMP, CAB, COM, DLL, EXE, GIF, JPG, MP3, MPG, OCX, PDF, PSD, RAR, TIF, VXD, WAV, ZIP.
Mimail.C contains its own SMTP engine, thus sent copies of the Mimail email will not appear in the Sent folder of the email client. According to McAfee's AVERT, Mimail.C also tries to launch a Distributed Denial of Service (DDoS) attack against a certain remote server by sending it large amounts of garbage data.
To manually remove Mimail.C from an infected system, remove the NetWatch Registry edit made by the worm and delete the dropped files. Antivirus software updated after Mimail.C's discovery should also be able to detect and remove the worm. Mimail.C is also known as W32/Mimail-C, W32/Mimail.c@MM, I-Worm.WatchNet, and W32/Bics@MM.
